The discussion over backdoor access in IT products received more fodder this year thanks to the FBI and Lenovo.

First, FBI Director Christopher Wray said that encrypted devices that can't be unlocked by law enforcement are a "public safety issue." Speaking at the FBI International Conference on Cyber Security earlier this month, he said the FBI currently possesses nearly 7,800 locked devices that it can't access despite having warrants. While Wray said the FBI is not looking for backdoor access to devices, he criticized the technology industry for not pursuing a "responsible solution" to the problem.

Then, shortly after Wray's comments, Lenovo issued a security advisory announcing it had found an authentication bypass mechanism in the Enterprise Networking Operating System (ENOS) software that runs some of the computer-maker's switches.

The bigger problem, according to the security advisory, was that the mechanism was named HP backdoor; Lenovo discovered it had been placed in ENOS in 2004 when the software was owned by Nortel Networks following a request from a Nortel OEM customer. However, it's unclear why Nortel decided to add a backdoor into the OS and if HP refers to Hewlett Packard Enterprise.

Lenovo's security advisory adds a wrinkle to the debate over strong encryption. Does Wray's criticism of technology companies have merit? How could the HP backdoor go unnoticed for so long? How common are vendor-created backdoor access points in popular technology products? SearchSecurity editors Rob Wright and Peter Loshin discuss those questions and more in this episode of the Risk & Repeat podcast.

Is your organization concerned about vendor-created backdoors in the products you use? Why or why not?

Join the conversation

1 comment

Register

I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.

Please check the box if you want to proceed.

I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.